dodahday - BSD

This is a discussion on dodahday - BSD ; I am now getting notifications of failed mail
delivery from direcway. The mail is being returned
from dodahday@direcway.com as a result of that
user being over quota. The header, but not the message,
is returned in the notification. To the ...

dodahday

I am now getting notifications of failed mail
delivery from direcway. The mail is being returned
from dodahday@direcway.com as a result of that
user being over quota. The header, but not the message,
is returned in the notification. To the best of my
knowledge I am not sending any email to dodahday.
Any ideas about how this is happening?

Thanks,
Dave Feustel

Re: dodahday

dave writes:
> I am now getting notifications of failed mail
> delivery from direcway. The mail is being returned
> from dodahday@direcway.com as a result of that
> user being over quota. The header, but not the message,
> is returned in the notification. To the best of my
> knowledge I am not sending any email to dodahday.
> Any ideas about how this is happening?

Welcome to the world of spam. Someone, somewhere, is sending something
(typically spam) with your email address as the return address. Nothing
you can do about it.

// marc

Re: dodahday

Marco S Hyman wrote:
> dave writes:
>
>> I am now getting notifications of failed mail
>> delivery from direcway. The mail is being returned
>> from dodahday@direcway.com as a result of that
>> user being over quota. The header, but not the message,
>> is returned in the notification. To the best of my
>> knowledge I am not sending any email to dodahday.
>> Any ideas about how this is happening?
>
> Welcome to the world of spam. Someone, somewhere, is sending something
> (typically spam) with your email address as the return address. Nothing
> you can do about it.
>
> // marc

Thanks for the bad news. :-) I had thought of that possibility but
wondered (as a result of an included ip that matched my 192... address)
whether someone had used a sendmail exploit to relay email through my
computer.

Tonight all of a sudden mplayer is dieing while playing audio feeds.
It's happened on two feeds and I can't reconnect either feed. I'm
also suddenly getting porno email from an address of a company in TX
that advertises legal services. I wonder if I have pissed off yet
another soul somehow. All I did was email an article about George
Bush & Co to a couple of my closest friends. :-)

Re: dodahday

dave writes:
> is returned in the notification. To the best of my
> knowledge I am not sending any email to dodahday.
> Any ideas about how this is happening?

What you're seein is just a side effect of spammers using from
addresses picked at random. Yours happened to be the one they picked
that day. When you're postmaster you tend to see a few bizarre
variations on this. The way it plays out is usually something like
this:

1) a spammer's message somehow manages to get through to a mail server
for one of our domains

3) the from address is another undeliverable at the from address' domain,
and the from domain's server bounces my server's bounce

the spammer of course sent the trash from somewhere totally unrelated
to the apparent from domain, but that will not keep them from claiming
that the quality of their multimillion address list is sterling and
then some.

Re: dodahday

On Fri, 16 Feb 2007 09:06:55 +0100, Peter N. M. Hansteen wrote:
> dave writes:
>
>> is returned in the notification. To the best of my
>> knowledge I am not sending any email to dodahday.
>> Any ideas about how this is happening?
>
> What you're seein is just a side effect of spammers using from
> addresses picked at random. Yours happened to be the one they picked
> that day. When you're postmaster you tend to see a few bizarre
> variations on this. The way it plays out is usually something like
> this:
>
> 1) a spammer's message somehow manages to get through to a mail server
> for one of our domains
>
> 2) the message is addressed to something_undeliverable@datadok.no, and
> my server bounces with an "unknown user" message
>
> 3) the from address is another undeliverable at the from address' domain,
> and the from domain's server bounces my server's bounce
>
> the spammer of course sent the trash from somewhere totally unrelated
> to the apparent from domain, but that will not keep them from claiming
> that the quality of their multimillion address list is sterling and
> then some.

When a mail server accepts mail, then at a later point determines it is
non-deliverable and sends a rejection notice back to the fabricated
"from" address -- it produces a type of e-mail known as "backscatter."

Backscatter is considered abusive behavior by many mail admins. The
modern trend is to *never* accept undeliverable mail, but reject it during
the intial sending. Think of it this way: a spam run sends 2 million
e-mails with Dave's e-mail address as the "From" userid. If all of the
mail servers issue "undeliverable" e-mails to Dave ... Dave will get 2
million e-mails. Not friendly. Instead, if all mail servers reject the
e-mail during their session with the spammer's servers ... Dave gets
nothing. Better, eh?

The SMTP protocol allows for two types of rejections: 5xx error codes are
permanent rejections, and 4xx codes are temporary rejections (such as user
over quota, or other temporary issues).

--
Replying directly will get you locally blacklisted.
Change the address; use my first name in front of the @ if you want to
communicate privately.

Re: dodahday

On Fri, 16 Feb 2007, in the Usenet newsgroup comp.unix.bsd.openbsd.misc, in
article <87bqjujzkw.fsf@thingy.datadok.no>, Peter N. M. Hansteen wrote:
>What you're seein is just a side effect of spammers using from
>addresses picked at random. Yours happened to be the one they picked
>that day. When you're postmaster you tend to see a few bizarre
>variations on this. The way it plays out is usually something like
>this:
>
>1) a spammer's message somehow manages to get through to a mail server
> for one of our domains
>
>2) the message is addressed to something_undeliverable@datadok.no,

and this should cause the mail server to respond with a

550 Requested action not taken: mailbox unavailable

ending that transaction right then and there.
> and my server bounces with an "unknown user" message

Point your news reader at news.admin.net-abuse.blocklisting and find out
that this is called "backscatter" and the second fastest way to get your
IP address onto blocklists behind sending spam directly. Fix your mail
server so that it knows who is a valid recipient, and do not accept any
mail for unknowns, so that you don't have to bounce it.